Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting Source Address

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 584 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tampert
      last edited by

      I'm trying to set my firewall rules to allow only three specific external IPs to connect to services running behind my pfSense firewall. RDP can be accessed by any IP.

      RDP works without issue, but the services which are restricted by Source Address are inaccessible. I made sure they are actually running, and that I'm actually trying to connect from one of the whitelisted IPs. My port forward rules look like this.

      I have one complication in my network, which is that I have an ADSL modem which doesn't support bridge mode (it's a Fritzbox). pfSense is in the DMZ of the modem. In the Firewall logs, I'm only seeing WAN=OUT rules passing from my external whitelisted IP, but nothing else.

      At this point I'm lost, but I'm sure it's something easy I'm overlooking… :o

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        I can't see the port-forward rules - did you forget the screen shot?

        The DMZ thing should work (and it obviously works for your RDP) - I have a few front-end devices where I do that, for those sort of low-end devices the "DMZ IP address" usually really means "the place to do a 1:1 port forward to", and everything arriving on the real WAN gets directed straight through to the inside pfSense WAN IP.

        For RDP or other interactive user things, IMHO it is better to have a road-warrior (Open)VPN server and get the remote users to connect by VPN and then do RDP or whatever once they are logically on the intranet. The road warrior VPN can be made more secure (certificate plus username/password). But that is your design decision, not directly the subject of your post.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.